Skip to content

DNS over HTTPS

herver edited this pageJan 5, 2021· 230 revisions

DOH

Do DNS resolves over HTTPS for privacy, performance, and security. It also makes it easier to use a name server of your choice instead of the one configured for your system.

Spec

RFC 8484 - DNS Queries over HTTPS (DoH)

Publicly available servers

Who runs itBase URLWorking*Comment
A
aaflalo.meServer US: https://dns-nyc.aaflalo.me/dns-query
Server EU: https://dns.aaflalo.me/dns-query
:heavy_check_mark:
:heavy_multiplication_x:
Runs on Star Brilliant's dns-over-https
Both servers check for DNSSEC and block advertising
AdGuardDefault: https://dns.adguard.com/dns-query
Family protection: https://dns-family.adguard.com/dns-query
:heavy_check_mark:
:heavy_check_mark:
Default provides ad-blocking at DNS level, while Family protection adds adult site blocking.
AhaDNS.comhttps://doh.nl.ahadns.net/dns-query
https://doh.in.ahadns.net/dns-query
https://doh.la.ahadns.net/dns-query
:heavy_check_mark:
:heavy_check_mark:
:heavy_check_mark:
A zero logging DNS with support for DNS-over-HTTPS (DoH) & DNS-over-TLS (DoT). Blocks ads, malware, trackers, viruses and telemetry. DNSSEC, TLS 1.3, Open Source.
Alibaba Public DNShttps://dns.alidns.com/dns-query:heavy_check_mark:DoH/DoT/DNS Json API, Best DoH/DoT server in China
Andrews & Arnoldhttps://dns.aa.net.uk/dns-query:heavy_check_mark:no logging (see DNS Disclaimer)
alekbergSpain: https://dnses.alekberg.net/dns-query
Holland: https://dnsnl.alekberg.net/dns-query
Sweden: https://dnsse.alekberg.net/dns-query
:heavy_check_mark:
:heavy_check_mark:
:heavy_check_mark:
DoH Servers in Spain, Holland and Sweden. No logging, no filtering, DNSSEC support.
armadillodns.nethttps://doh.armadillodns.net/dns-query:heavy_multiplication_x:No source IP logging.
Association 42lhttps://doh.42l.fr/dns-query:heavy_check_mark:DNSSEC, not logging queries' content, uses doh-proxy and edgedns for caching. Queries proxied randomly through FFDN members' open DNS resolvers (French ISPs committing for net neutrality).
B
blahdns.comFinland: https://doh-fi.blahdns.com/dns-query
Japan: https://doh-jp.blahdns.com/dns-query
Germany: https://doh-de.blahdns.com/dns-query
:heavy_check_mark:
:heavy_check_mark:
:heavy_check_mark:
Based on Go implementation, knot-resolver, Unbound with DNSSEC, No ECS, No logs, Adsblock
blockerDNShttps://example.doh.blockerdns.com/dns-query:question: (:moneybag:)DNS-based ad-blocking service; One-man operation; ZERO IP and DNS query logging for DoH and DoT. Charges 99c per month for https DOH service
BraveDNSMalware and ad-blocking: https://free.bravedns.com/dns-query
Endpoint configuration with custom blocklists: https://bravedns.com/configure
:heavy_check_mark:A stub resolver running in 200+ locations world-wide on Cloudfare. Fast, secure, private, transparent, configurable DNS resolver. No ECS. Implements CNAME Cloaking. No-logging. github
C
captnemo.inhttps://doh.captnemo.in/dns-query:heavy_multiplication_x:Runs dnss with local unbound resolver running DNSCrypt with DNSSEC support as the upstream. Privacy Policy. More details at https://captnemo.in/doh/. No logging or filtering. Runs in Bangalore, India
CharterCalifornia: https://doh-01.spectrum.com/dns-query
Texas: https://doh-02.spectrum.com/dns-query
:heavy_check_mark:Trial - Testing multiple platforms
CIRA Canadian ShieldPrivate: https://private.canadianshield.cira.ca/dns-query
Protected: https://protected.canadianshield.cira.ca/dns-query
Family: https://family.canadianshield.cira.ca/dns-query
:heavy_check_mark:
:heavy_check_mark:
:heavy_check_mark:
Supports DNSSEC, keeps DNS traffic inside Canada.
Private: DNS resolution service that keeps your DNS data private from third-parties.
Protected: Includes Private features and adds malware and phishing blocking.
Family: Includes Protected and Private features and blocks pornographic content.
Cisco Umbrella/OpenDNSStandard: https://doh.opendns.com/dns-query
FamilyShield (blocks adult content): https://doh.familyshield.opendns.com/dns-query
:heavy_check_mark:

:heavy_check_mark:
DNSSEC, Anycast
CleanBrowsinghttps://doh.cleanbrowsing.org/doh/family-filter/:heavy_check_mark:anycast DoH server with parental control (restricts access to adult content + enforces safe search)
Cloudflarehttps://cloudflare-dns.com/dns-query
also available via Tor onion service
Mozilla: https://mozilla.cloudflare-dns.com/dns-query
Block Malware: https://security.cloudflare-dns.com/dns-query
Block Malware and Adult Content: https://family.cloudflare-dns.com/dns-query
DNS64: https://dns64.cloudflare-dns.com/dns-query
:heavy_check_mark:
:question:
:heavy_check_mark:
:heavy_check_mark:
:question:
Supports both -04 and -13 content-types
Comcasthttps://doh.xfinity.com/dns-query:heavy_check_mark:Experimental, DNSSEC
Commons Hosthttps://commons.host:heavy_multiplication_x:~20 PoPs worldwide, Node.js/playdoh over Knot Resolver.
ContainerPIUnfiltered by Cloudflare:
https://dns.containerpi.com/dns-query
Filtered by CleanBrowsing, blocks adult content:
https://dns.containerpi.com/doh/family-filter/
Filtered, blocks malicious domains only:
https://dns.containerpi.com/doh/secure-filter/
:heavy_check_mark:
:heavy_multiplication_x:
:heavy_multiplication_x:
Based on m13253/DNS-over-HTTPS, no logging, EDNS Client Subnet enabled. Multiple nodes in China Mainland(limited), China Taiwan, Japan, South Korea, India, Germany, România, Russia, USA and Brazil.
Coxhttps://dohdot.coxlab.net/dns-query:heavy_multiplication_x:Experimental, No DNSSEC
CZ.NIChttps://odvr.nic.cz/dns-query:heavy_check_mark:Runs on Knot Resolver (doh2), supports DNSSEC, provided by .cz TLD operator
D
Digitale Gesellschafthttps://dns.digitale-gesellschaft.ch/dns-query:heavy_check_mark:No query/IP logging, no filtering, QNAME minimization, TLS 1.3, DNSSEC; https://www.digitale-gesellschaft.ch/dns/
dns.flatuslifir.ishttps://dns.flatuslifir.is/dns-query:heavy_check_mark:Public adblock server that supports DoT & DoH for fun and learning, no logging, supports DNSSEC, qname-minimisation, ECS is not enabled. Located in Iceland, built on pihole, nginx, unbound, m13253/DNS-over-HTTPS
DNS.SBhttps://doh.dns.sb/dns-query:heavy_check_mark:DNSSEC enabled
dnsforge.dehttps://dnsforge.de/dns-query:heavy_check_mark:No logging. Support DNSSEC. Hosted in Germany
dnsHome.dehttps://dns.dnshome.de/dns-query:heavy_check_mark:DoH Server in Germany. No logging, No filtering, DNSSEC and own DNS Resolver
DNSlifyhttps://doh.dnslify.com/dns-query:heavy_check_mark:Anycast, No Logging, Own Recursion, Strict Privacy Policy.
doh.lihttps://doh.li/dns-query:heavy_check_mark:Runs on dns-over-https, no logging, EDNS Client Subnet enabled, based in DigitalOcean London. DNSSEC and adblock not currently enabled.
F
FAELIXhttps://rdns.faelix.net/:heavy_check_mark:No logging, based on dnsdist-doh RC querying our powerdns-recursor resolvers, multiple nodes in UK and CH, more info
ffmuc.nethttps://doh.ffmuc.net/dns-query:heavy_check_mark:DoH-Server of Freifunk München. No logging, no filter, DNSSEC, own recursion. More in our wiki
Foundation for Applied Privacyhttps://doh.applied-privacy.net/query:heavy_check_mark:No query/IP logging, no filtering, QNAME minimization, no EDNS client subnet, TLS 1.3, DNSSEC, RFC7706, RFC8198; https://applied-privacy.net/services/dns/
G
Googlehttps://dns.google/dns-query
DNS64: https://dns64.dns.google/dns-query
:heavy_check_mark:
:heavy_check_mark:
Full RFC 8484 support
H
Hostux.netUncensored DNS: https://dns.hostux.net/dns-query
Adblocking DNS: https://dns.hostux.net/ads
:heavy_check_mark:
:heavy_check_mark:
DNSSEC, no EDNS Client-Subnet, not logging queries' content, hosted in Luxembourg.
Hurricane Electric (he.net)https://ordns.he.net/dns-query:heavy_check_mark:Also supports DoT and TLS 1.3, Does not support DNSSEC. Anycast servers.
J
jcdns.funhttps://jcdns.fun/dns-query:heavy_multiplication_x:secure nginx, Non-Logged / Uncensored, hosted on Digital Ocean VPS by jamesacampbell AKA James Campbell.
jitenderhttps://jit.ddns.net/dns-query:heavy_check_mark:DoH server - India, Oracle Cloud, Hyderabad, India, Runs with nginx, high availability, load balanced by nginx with multiple backend DNS servers. Blocks ad, analytics, trackers blocking provides a clean browsing experience. @coolquasar
jp.tiar.apphttps://jp.tiar.app/dns-query
https://jp.tiarap.org/dns-query
:heavy_check_mark:No Censorship, No Logging, No ECS, support DNSSEC in Japan
L
LavaDNSUSA: https://us1.dns.lavate.ch/dns-query, Finland: https://eu1.dns.lavate.ch/dns-query:heavy_check_mark:DoH server in USA and Finland. No logging, no filtering, no ECS, DNSSEC support.
lelux.fihttps://resolver-eu.lelux.fi/dns-query:heavy_multiplication_x:DoH server in France. No logging, no filtering, DNSSEC support.
LibreDNShttps://doh.libredns.gr/dns-query:heavy_check_mark:no logging, TLS 1.3, No DNSSEC
M
Moulticasthttps://dns.moulticast.net/dns-query:heavy_check_mark:IPv6 Anycast DoH servers in Europe (more locations to come). No logging, no filtering, no ECS, DNSSEC support.
N
nextdns.iohttps://dns.nextdns.io/<config_id>
Create a config ID
:heavy_check_mark:The first cloud-based private DNS service that gives you full control over what is allowed and what is blocked on the Internet. 300,000 domain resolution per month is free! Quite a fine-granular dashboard, the same account can be used for multiple devices with prefixes to easier track activities on the dashboard!
NekomimiRouter.comhttps://dns.dns-over-https.com/dns-query:heavy_check_mark:Runs Go implementation. Does recursion itself with no upstream servers. Toy server may fail, please report if fails
P
pi-dns.comhttps://doh.pi-dns.com/dns-query
https://doh.centraleu.pi-dns.com/dns-query
https://doh.northeu.pi-dns.com/dns-query
https://doh.westus.pi-dns.com/dns-query
https://doh.eastus.pi-dns.com/dns-query
https://doh.eastau.pi-dns.com/dns-query
https://doh.eastas.pi-dns.com/dns-query
:heavy_check_mark:A zero logging DNS with support for DNS-over-HTTPS (DoH) & DNS-over-TLS (DoT). Blocks ads, malware, trackers, viruses and telemetry. DNSSEC, TLS 1.3
PowerDNShttps://doh.powerdns.org:heavy_check_mark:Based on dnsdist-doh branch
Q
Quad9Recommended: https://dns.quad9.net/dns-query
Secured: https://dns9.quad9.net/dns-query
Unsecured: https://dns10.quad9.net/dns-query
Secured w/ECS Support: https://dns11.quad9.net/dns-query
:heavy_check_mark:
:heavy_check_mark:
:heavy_check_mark:
Secured provides: Security blocklist, DNSSEC, no EDNS Client-Subnet
Unsecured provides: No security blocklist, no DNSSEC, no EDNS Client-Subnet
Recommend is currently identical to secure.
R
Rubyfish.cnhttps://dns.rubyfish.cn/dns-query:heavy_check_mark:East China Zone, Based on https://github.com/m13253/dns-over-https
S
Snopytahttps://fi.doh.dns.snopyta.org/dns-query:heavy_check_mark:Non-logging DoH Server in Finland
SWITCHhttps://dns.switch.ch/dns-query:heavy_check_mark:DNSSEC validation protects from forged or manipulated DNS data from upstream servers, DNS Query Name Minimisation to improve privacy, SWITCH DNS Firewall blocks access to infected or malicious websites and redirects users to a landing page
T
Tiaraphttps://doh.tiar.app/dns-query
https://doh.tiarap.org/dns-query
:heavy_check_mark:
:heavy_check_mark:
Based in Singapore, No logging, block Ad/Ad-tracking/Malware, No ECS, DNSSEC
TWNIChttps://dns.twnic.tw/dns-query:heavy_check_mark:No source IP logging. Operated by Quad101 project, according to this announcement
W
wugui.zonehttps://dns.wugui.zone/dns-query
https://dns-asia.wugui.zone/dns-query
:heavy_check_mark:
:heavy_check_mark:
DoH Server in Russia. No logging, No filtering
@#$%
@chantrahttps://dns.dnsoverhttps.net/dns-query:heavy_check_mark:"toy server" which runs doh-proxy
@jedisct1https://doh.crypto.sx/dns-query:heavy_check_mark:a server which runs another project called doh-proxy, written in Rust.
ibksturm.synology.mehttps://ibksturm.synology.me/dns-query:heavy_check_mark:doh-server (nginx - dnsproxy - unbound), DNSSEC / Non-Logged / Uncensored, OpenNIC and Root DNS-Zone Copy Hosted in Switzerland by ibksturm, aka Andreas Ziegler.
@matthewgall - mydns.networkhttps://adblock.mydns.network/dns-query (adblock, using PiHole):heavy_check_mark:no logging, DNSSEC enforcing, DDoS protected (using Spectrum by Cloudflare), anycast)
@null31https://ibuki.cgnat.net/dns-query:heavy_check_mark:Based in Brazil / doh-server (nginx - dnsdist - unbound) / dot-server (dnsdist - unbound) / DNSSEC / QNAME minimization / Uncensored / no logging, no ECS, hosted on Oracle Cloud VPS by null31.
@publicarray dns.seby.iohttps://doh-2.seby.io/dns-query
https://doh.seby.io:8443/dns-query
:heavy_multiplication_x:
:heavy_check_mark:
Australian server that runs @m13253's Go implementation, Unbound with DNSSEC, No ECS, and No logs

*: Tested via curl --doh-url <RESOLVER_URI> http://google.com.

Private DNS Server with DoH setup examples

BaseSourceComment
Dockerhttps://github.com/satishweb/docker-dohComplete Docker stack using Star Brilliant's dns-over-https and Docker Flow Proxy
Dockerhttps://github.com/coolquasar/dnsproxyComplete DoH, DoT and DoQ stack in docker based on Adguard home dnsproxy project. Could host DoH,DoT and DoQ quickly in a cloud server, and run respective clients in local Docker env. It has been tested in Raspberry PI as well

Supported in browsers and clients

NameVersionComments
Firefox62Firefox DNS-over-HTTPS
Bromite67.0.3396.88How to enable DoH
curl7.62.0See DOH-implementation
OkHttp3.11See Providers
curl-dohn/abasic stand-alone DoH client that uses curl
Chrome66https://bugs.chromium.org/p/chromium/issues/detail?id=799753

DOH Tools

NameAuthor/OrganizationComments
corednsCloudflareCoreDNS is a DNS server/forwarder, written in Go from the Cloud Native Computing Foundation.
doh-proxyFacebooktools for DoH
dns2dohDanieltool for generating DOH responses and questions.
doh-proxyFrank Denisserver-side proxy in rust
doh-php-clientDaniel Cidcan be used to test and run DoH requests via PHP applications.
doh-js-clientPeter Laiclient-side implementation of DoH, can be used in nodejs backend.
jDnsProxyTravis BurtrumDNS proxy and cache, implementing DNS-over-TLS, DNS-over-HTTPS, and Serve-Stale
dns-over-httpsStar Brilliantserver-side and client-side implementation, written in Golang
dnsdistPowerDNSsupports doh, see https://dnsdist.org/guides/dns-over-https.html
dnssAlberto Bertoglidaemon written in Go which acts as a proxy (the most common use case), and as a server (in case you want end-to-end control).
nss-tlsDima Krasnera daemon that makes gethostbyname(), getaddrinfo(), etc. happen through DoH, without any change to applications, thus transparently migrating all applications that don't use their own resolver (like some browsers) from DNS to DoH.
dealdohMaxime Elomaria middleware to proxy DoH requests to different DNS upstreams, written in PHP.
Encrypted-DNSSiujoeng LauDNS-over-HTTPS forwarder written in Python
RouteDNSFrank Olbrichta flexible stub resolver, proxy, and router with support for DoH, DoT, and plain DNS written in Go.
h2odohMax Kostikovan implementation with H2O HTTP/2 server using embedded mruby.
Encrypted DNS ServerFrank Deniscan serve DNSCrypt and DoH traffic simultaneously, written in Rust.
dnscrypt-proxyFrank Denisdnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.
quart-dohMatthieu TreussartHTTP/2 server who serves a DOH proxy written in Python, with Quart Python web microframework.
EasyDoHElevenPathsa simple add-on for Firefox that allows one to easily activate DNS over HTTPS and its working mode with just one click.
dohjsBYU IMAALClient DoH JavaScript library for accessing DNS information from web applications. Can be tested at dohjs.org
Technitium DNS ServerTechnitiumA FOSS, cross-platform DNS Server written in C# that can consume as well as host DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) services.
kdigCZ.NICUtility that sends one or more DNS queries to a nameserver. Each query can have individual settings, or it can be specified globally via common-settings, which must precede query specification. This utility supports DoH.

Other

Script to parse DoH provider URLs from this wiki page

You can’t perform that action at this time.